New Intermediary Guidelines.. Intermediaries need to have Indian Subsidiaries..

[This is in continuation of the previous article on the subject]

In the 2011 version of the guidelines, the “Due Diligence” included  a prompt action to be taken by the intermediary when a complaint is received by them about some contravention occurring on his platform with a message that is either stored or displayed under his control. The guideline stated that” When the intermediary receives actual knowledge”, he has to remove the information within 36 hours from the display but preserve it as evidence for legal purposes.

This applied to mainly websites including Facebook or Twitter which  “Publish” Content. Initially some intermediaries interpreted this as if it was a mandate to remove the allegedly offending content within 36 hours and the Government later on clarified that the Intermediary need not take a judgmental view of what is right or wrong but has to wait for a judicial order.

Now the Government says that they are modifying this rule consequent to the Shreya Singhal Judgement. Accordingly the sub section 4 has been removed and a new sub section 4 along with some modifications in sub section 5 has been introduced.

Also the sub section (8) clarifies that the “Actual Knowledge” refers to receiving a Court order or a notification from an appropriate Government agency.

Now, it will be necessary for the Intermediary to send “Monthly Reminders” to the users that in case of non compliance with rules and regulations and user agreement and privacy policy the service access may be terminated.

Comment: While it appears that this will introduce a new responsibility for monthly reminders to the lakhs of subscribers which some of the intermediaries like Facebook, Google or WhatsApp may have, it can be implemented with a monthly customization of access involving a pop up notice instead of sending an e-mail notice.

One advantage of this monthly notification rule is that whenever the policy is changed by the service provider, he will have a monthly window when he can inform the user with a link to the new version of the policy. This will prevent the obnoxious policy of a policy or terms of service being modified without a notice to the users. Though this notice of modification is mandatory for contractual purpose, the proposed monthly alerts can be a good approximation to meeting this obligation of notice of change.

Under Sub rule 5 it is now clarified that the intermediary is obliged to respond to an assistance for information as asked by an appropriate Government agency when required by a “lawful order”. It is necessary that such request is made in writing (including electronic) stating the purpose and the information required and the intermediary shall enable tracing the originator of the message.

Comment: This provision is nothing new since such powers of requesting for information under Sec 69B or CrPC was already available to the law enforcement agencies including the Courts. There is better clarity now.

Though some intermediaries may have some issues in recording IP address and other log information associated with the messages/posts it is easily done as observed by the server of the service provider. Obviously, if the server does an “Anonymization” of the user, then they have the need to answer the law. If the user has spoofed the identity, then the service provider may not be generally liable except to the extent of identifying spoofing attempts as part of the “Reasonable Security Practice”.

For example when a “Phishing” mail is sent by a person from a server which is different from what it appears to be in its name, the e-mail provider or the message receiving server needs to identify that the sending device identity does not match with the published identity and hence the message is suspicious. Already many mail servers have implemented verification of the signature of the previous sender and this system needs to be extended to other cases as part of the compliance requirements. (Look forward to more clarification from my tech friends).

Another interesting aspect of the notification is Rule 7 which states that intermediaries with more than 50 lakh users in India or specifically notified by the Government should be companies incorporated in India, have a permanent registered office and have a nodal point of contact.

Comment: Just as the debate on the Data Localization, I am sure that this rule will be fiercely contested by the industry giants. But this is a clever move of the Government which also has an impact on the “Data Protection regulations”.

I have in the past made references to the non availability of identifiable representatives of Facebook and Google in India when an abuse had to be reported and we have often observed that Police are told by these companies that their services are handled from USA subject to the laws of USA and hence all law enforcement queries have to be directed to them.

This rule therefore is the single most critical measure that may improve the law enforcement capability in India where companies such as Google, Facebook, WhatsApp, PayPal, and many others may have to open their India subsidiaries and be subject to Indian law enforcement supervision.

…. To be continued


Previous Articles:

New Intermediary Guidelines… Legitimate and Well within the rights of the Government: 
Proactive technology tools to identify intermediary rules: 
New Intermediary Guidelines.. Intermediaries need to have Indian Subsidiaries..: 
Intermediary Guidelines.. Who is and who is not an intermediary?: 
Draft Intermediary Guidelines 2018… Public Comments invited:
Copy of the guidelines: 

This entry was posted in Cyber Law. Bookmark the permalink.

2 Responses to New Intermediary Guidelines.. Intermediaries need to have Indian Subsidiaries..

  1. Pingback: Proactive technology tools to identify intermediary rules |

  2. Pingback: New Intermediary Guidelines… Legitimate and Well within the rights of the Government |

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.